Enhance modpack content validation to prevent unsafe file paths and improve error logging

Skidamek · Skidamek · commit 9c0ce912ee25 · 2025-12-19T15:22:08.000+01:00
diff --git a/loader/core/src/main/java/pl/skidam/automodpack_loader_core/client/ModpackUtils.java b/loader/core/src/main/java/pl/skidam/automodpack_loader_core/client/ModpackUtils.java
@@ -550,26 +550,45 @@ private static Boolean askUserAboutCertificate(InetSocketAddress address, String
         return accepted.get();
     }
 
-    // check if modpackContent is valid/isn't malicious
     public static boolean potentiallyMalicious(Jsons.ModpackContentFields serverModpackContent) {
-        String modpackName = serverModpackContent.modpackName;
-        if (modpackName.contains("../") || modpackName.contains("/..")) {
-            LOGGER.error("Modpack content is invalid, it contains /../ in modpack name");
+        if (isUnsafePath(serverModpackContent.modpackName)) {
+            LOGGER.error("Modpack content is invalid: modpack name '{}' is unsafe/malicious", serverModpackContent.modpackName);
             return true;
         }
 
-        for (var modpackContentItem : serverModpackContent.list) {
-            String file = modpackContentItem.file.replace("\\", "/");
-            if (file.contains("../") || file.contains("/..")) {
-                LOGGER.error("Modpack content is invalid, it contains /../ in file name of {}", file);
-                return true;
-            }
+        if (serverModpackContent.list == null || serverModpackContent.list.isEmpty()) {
+            return false;
+        }
 
-            String sha1 = modpackContentItem.sha1;
-            if (sha1 == null || sha1.equals("null")) {
-                LOGGER.error("Modpack content is invalid, it contains null sha1 in file of {}", file);
+        return serverModpackContent.list.parallelStream().anyMatch(item -> {
+            if (isUnsafePath(item.file)) {
+                LOGGER.error("Modpack content is invalid: file path '{}' is unsafe/malicious", item.file);
                 return true;
             }
+            return false;
+        });
+    }
+
+    private static boolean isUnsafePath(String rawPath) {
+        if (rawPath == null || rawPath.isBlank()) return true;
+
+        // Null Byte Check
+        if (rawPath.indexOf('\0') != -1) return true;
+
+        // Most files are just "mods/fabric-api.jar", so they hit this and return false immediately
+        if (!rawPath.contains("..")) {
+            return false;
+        }
+
+        // We must distinguish between malicious "../" and valid names like "super..mario.jar"
+        String normalized = rawPath.replace('\\', '/');
+
+        // Edge case
+        if (normalized.equals("..") || normalized.equals(".")) return true;
+
+        String[] segments = normalized.split("/");
+        for (String segment : segments) {
+            if (segment.equals("..")) return true; // Directory traversal
         }
 
         return false;
